My experiences as an IT professional - Anything that I write here is my personal opinion and should not be officially associated with any other entity

Saturday, June 16, 2012

A good starting point for researching Security Information and Event Management (SIEM) tools/services

Recently, I've been doing research on tools for log management and SIEM (Security Information and Event Management). As anyone who's ever been part of selecting an enterprise can testify, it's quite the daunting task.

Enterprise tools are BIG, as in they have a footprint larger than a brontasaurus, typically require a lot of work to get them set up to where they are useful and usable and they aren't any good unless someone (sometimes a small team is required) is managing them on a daily basis. Figuring out which tool best meets your needs is just as large of an endeavour.

Sometimes it can be hard to figure out just where to start, so you do some Google searches trying to find what SIEM tools are on the market, and maybe you do some searches for open source products that are up to the task and if you are lucky, you'll hit on one of Dr. Anton Chuvakin's blog posts on the subject.

He is definitely an expert in the field and currently works at Gartner doing analysis for them on the subject.

You'll also notice, if you pay close attention, that he's got a great sense of humor (and apparently likes Cognac).

Some notable blog posts of his that I think are required reading to anyone who is looking to purchase a SIEM tool are:

Top 10 criteria for a SIEM? - He goes against his better instincts and writes an informative blog post on excellent criteria, in my opinion, for beginning your assessments of the various SIEM tools

On choosing a SIEM - Here he provides some questions that a security analyst, business exec or IT manager should ask before they even begin looking for a SIEM...the questions are quite insightful and get to the heart of the matter of "do we really need this functionality?" and, more importantly, "do we have the resources to support it and make it successful?"

The myth of SIEM as "analyst in a box" - A good blog post in his series on how not to choose a SIEM. Basically, it boils down to if you don't have a security analyst or analysis team on staff already, you better get one before deploying a SIEM or your effort will be a complete failure.

Comments

A good starting point for researching Security Information and Event Management (SIEM) tools/services

Recently, I've been doing research on tools for log management and SIEM (Security Information and Event Management). As anyone who's ever been part of selecting an enterprise can testify, it's quite the daunting task.

Enterprise tools are BIG, as in they have a footprint larger than a brontasaurus, typically require a lot of work to get them set up to where they are useful and usable and they aren't any good unless someone (sometimes a small team is required) is managing them on a daily basis. Figuring out which tool best meets your needs is just as large of an endeavour.

Sometimes it can be hard to figure out just where to start, so you do some Google searches trying to find what SIEM tools are on the market, and maybe you do some searches for open source products that are up to the task and if you are lucky, you'll hit on one of Dr. Anton Chuvakin's blog posts on the subject.

He is definitely an expert in the field and currently works at Gartner doing analysis for them on the subject.

You'll also notice, if you pay close attention, that he's got a great sense of humor (and apparently likes Cognac).

Some notable blog posts of his that I think are required reading to anyone who is looking to purchase a SIEM tool are:

Top 10 criteria for a SIEM? - He goes against his better instincts and writes an informative blog post on excellent criteria, in my opinion, for beginning your assessments of the various SIEM tools

On choosing a SIEM - Here he provides some questions that a security analyst, business exec or IT manager should ask before they even begin looking for a SIEM...the questions are quite insightful and get to the heart of the matter of "do we really need this functionality?" and, more importantly, "do we have the resources to support it and make it successful?"

The myth of SIEM as "analyst in a box" - A good blog post in his series on how not to choose a SIEM. Basically, it boils down to if you don't have a security analyst or analysis team on staff already, you better get one before deploying a SIEM or your effort will be a complete failure.